© 2019 Synopsys, Inc.1
Creating a Modern AppSec Toolchain to
Quantify Service Risks
Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center

© 2019 Synopsys, Inc.2
Modern Application Development and Risk
It’s not just about the applications…think process

© 2019 Synopsys, Inc.3
Being a security target is costly
Average cost of data breach:
$3.86 Million
Lost business:
$4.20 Million
Average time to identify
and contain a breach:
266 days
Source: 2018 Cost of Data Breach Study (US Data)
– Ponemon Institute

© 2019 Synopsys, Inc.4
Certifications and regulations guide current processes
On-Prem Infrastructure Policies
• DISA STIG, OVAL Definitions and XCCDF
• Managed via Chef, Puppet, Ansible,
Raw SSH tooling
• Private cloud adopts similar policies
Public Cloud Infrastructure Policies
• Provider responsible for infrastructure security
• Tenant remains responsible for VM security
Some operational risk transferred to provider
Focus for Certifications and Regulations
• PCI, PII and PHI
• Process centric and often not technology aware
• Developers assume compliance and no feedback loop
• NIST 800-137 focused on process
• Continuous monitoring isn’t prescriptive
NIST 800-137

© 2019 Synopsys, Inc.5
Equifax breach focused attention on open source

© 2019 Synopsys, Inc.6
Modern application
=
Proprietary Code
+
Open Source Components
+
API Usage
+
Application
Behavior and Configuration

© 2019 Synopsys, Inc.7
Gartner definition of DevSecOps
Information security architects must
• Integrate security at multiple points and
• Preserve teamwork, agility and speed in dev environments
Security activities must be an integral part of the
DevSecOps pipeline. DevOps teams have to own security
the same way they own development and operations.
Sec

© 2019 Synopsys, Inc.8
Ouch – Not so good!

© 2019 Synopsys, Inc.9
Sec By 2021, DevSecOps practices will
be embedded in 80% of rapid
development teams Source: Gartner, Integrating Security
Into the DevSecOps Toolchain Nov. 16, 2017.
Higher
speed
Reduced
friction
Continuous
feedback
Lower
cost
$

© 2019 Synopsys, Inc.10
The toolchain starts with process
i.e. define security targets and build toolchain from that

© 2019 Synopsys, Inc.11
DevSecOps Pipeline: Agile quality and security checks
Build Test Prod
Ops
Deploy
Dev
IDE Feedback
• Functional tests
• Load test
• Performance test
• DAST/IAST
• Penetration test
•Risk assessment
•Threat model
•Lightweight SAST
•Local unit tests
•Network scanning
•Continuous monitoring
•Env/Config validation
•Threat intelligence
•CVE reports
•Regulatory changes
•Static analysis
•SCA
•Unit tests
•Config tests
•Hardening check

© 2019 Synopsys, Inc.12
Example: IoT takes over the world
• Limited CPU resources
• Limited RAM for features
• C/C++ typical
• MQTT common protocol
• Responsive application
• View device data
• View historical information
Web UI
4
4
• Lightweight protocol
• High volume
• Pub/Sub interface
MQTT Broker
Encrypted data
published via MQTT2
IoT Device
• iOS/Android application
• Configure device
• View device data
• Receive notifications
Mobile Interface1
Configure
via Bluetooth
represents constraints
in the system
3
Data stored
for analysis
Analysis Engine
Authentication
and
Authorization
Analysis
Engine MQTT
WebSocket
Core
Data
• Avoid MITM
• Certification
of image
OTA

© 2019 Synopsys, Inc.13
The risks we control

© 2019 Synopsys, Inc.14
Identify security targets from platform requirements
Goal:
Select an IoT
toolchain meeting
product and cost
requirements
Role: Security Architect with CISO and Product Owner guidance
Tasks and requirements:
1. Select platform supporting desired protocols
• Protocol implementations must be resilient
2. Select candidate vendor or open source stack
3. Validate protocols against cost and stability
• Define protocol fuzzing framework
4. Report on security targets during development

© 2019 Synopsys, Inc.15
Select development frameworks and environment
Role: Development Lead with Product Owner guidance
Goal:
Select frameworks
capable of meeting
time to market and
security targets
Tasks and requirements
1. Select languages based on security
2. Define build environment
3. Identify commercial and open source
frameworks and libraries
• Define governance for security updates
4. Enable IDE security plugins
5. Enable build time CI analysis

© 2019 Synopsys, Inc.16
Perform continuous security assessments
Role: Developer with Development Lead guidance
Goal:
Identify security
governance issues
prior to commits
Tasks:
1. Transparent security review during coding
• No disruption to existing workflows
2. Remediation and contextual guidance
• Lower defect costs by shifting left
3. Developer reviews results before merging

© 2019 Synopsys, Inc.17
Catch complex security issues during build
Role: Release Engineer with guidance from QA and Product Owner
Goal:
Ensure release
meets security and
functional targets
Tasks and requirements:
1. Build triggered from merge/pull request
2. Detailed scans run parallel to build process
3. Optionally fail builds based on security
targets/exceptions
4. Analysis summaries fed back to IDE plugins
5. Centralized security progress tracking

© 2019 Synopsys, Inc.18
Confirm governance and security target progress
Role: Security Architect
Goal:
Ensure release
meets security and
functional targets
Tasks:
1. Centralized view of security results
2. Review by common taxonomy
• (OWASP Top 10, SANS Top 25)
3. Triage issue status via defect workflows
4. Measure progress against governance targets
5. Define security targets for future releases

© 2019 Synopsys, Inc.19
The risks controlling us

© 2019 Synopsys, Inc.20
Web services API usage
API Lifecycle
• Twitter API shutdown August 2018
• Google+ shutdown April 2019
• Salesforce API versioning
Data usage and control
• GDPR data processor vs data controller
• Data sovereignty and jurisdiction
• Data mashups and inference scenarios
Data and privacy breaches
• Facebook API tokens
• [24]7.io and Delta, Kmart, Sears
• Third-party data bleeds
• Phone home tracking
• CVE-2018-1002105 in Kubernetes API

© 2019 Synopsys, Inc.21
External factors impacting risk – ah dependencies!
• Explicit open source usage
–Component origin, security and update process
–How is the component linked in the application
–Versioning semantics
• Implicit open source usage
–Component embedded in binary library
–Vendor support statements
–Vendor data management
• Impact of “Point in Time” Decisions
–Who tracks and updates cached components?
–Community engagement
–Development directions

© 2019 Synopsys, Inc.22
Threat landscape controlled by actors not defenders
Threat Agents
• Scan networks for weakness using toolkits
• Success is a numbers game – zero knowledge of target
• Perimeter Defenses can be false positives
• Utilize multi-factors for attack reconnaissance
Infiltration
• Occurs through at least one vector
• Creates beachheads supporting infection, C&C and lateral movement
• Exploits latent vulnerabilities and misconfigurations
Mitigation powered by information flow
• Can’t exploit what doesn’t exist
• Focus attention on unpatched services
• Open source originates from multiple channels and patches must match
• Recognizes that attack landscape evolves
Global IP
Space
Managed
Systems
Accessible
Systems
Vulnerability
Present

© 2019 Synopsys, Inc.23
Bringing it all together to keep pace

© 2019 Synopsys, Inc.24
Keeping up requires a strategic security initiative (SSI)
Security
tools
CI/CD
DevOps
Vulnerabilities
Regulatory
requirements
Product release
acceleration
Vendors and
supply chains
Languages,
frameworks,
architectures
Attackers
and attacksAgile
Open
Source
Containers

© 2019 Synopsys, Inc.25
Strategy and planning
Measure your SSI to highlight efforts and gaps
Maturity Action Plan (MAP)
Building Security In Maturity
Model (BSIMM)

© 2019 Synopsys, Inc.26
Addressing AppSec gaps: Outsource Security Ninjas
Internal
resource capacity
Internal resources
Outsourced
Security Testing
Company
acquisition
Security
breach
Product
release
Compliance
audit
TRIGGERING EVENTS
Resource demand

© 2019 Synopsys, Inc.27
Sec
plan code build test release deploy monitoroperate

© 2019 Synopsys, Inc.28
plan code build test release deploy monitoroperate
Central Server
Build and Test Environment
Integrated Analysis Engines
Centralized
Management
Consolidated
Reporting
Alerting &
Workflow
CI/CD and DevOps
Integration
SaaS/Private Cloud
Deployment
Code Sight
Developer Environment
Integrated Local +
Central Analysis
IDE Plugin
IntelliJ, Eclipse, Visual Studio
Context-Sensitive
eLearning

© 2019 Synopsys, Inc.29
Security Toolchain – Synopsys Polaris with Code Sight
Code Sight IDE Plugins
3
• Invoke analysis
• Perform capture and
send to platform
CI/CD
Integration
2
• Run analysis on the platform
• Central issue triage and management
• Centralized reporting
56
1
• Support all popular IDEs
• Incremental, high-fidelity analysis
• Local issue triage and management
• Check in to SCM and trigger central builds
• Complement central scans
Polaris Central
Server in the
Public/Private Cloud
Alert and
notifications
4

© 2019 Synopsys, Inc.30
Policies &
Standards
ARA
Software Security Group, Model, and Initiatives
Security Training/eLearning
Outsource Security Ninjas
SCA
SAST IAST DAST & Pen Testing
plan code build test release deploy monitoroperate
Threat
Modeling
Red Teaming & Pen
Testing
WAF/RASP

© 2019 Synopsys, Inc.31
Key takeaways
Measure progress against targets and changes in direction
• Identify opportunities to reduce business risk with new technologies
• Design update mechanisms for resiliency against MITM attacks
• Legacy best practices may increase risk when applied to new paradigms
Reduce risks of non-compliance
• Implement continuous monitoring of all deployed apps, complete with dependency inventory
• Reassess point in time decisions and impact of new regulations
• Proactively compare running infrastructure against configured infrastructure for deltas
Define security targets when selecting components and toolchains
• Ensure criteria is understood in Ops, Development and Procurement
• Train all development and operations teams to identify changes in risk
• Document decisions impacting risk acceptance at all points in the SDLC

© 2019 Synopsys, Inc.32
Build Secure, High-Quality Software Faster

© 2019 Synopsys, Inc.33
Embedding security targets within your toolchain
Developer
Build
Test
Deploy
Production
Feedback and Security
Monitoring